Endpoint Encryption

Endpoint encryption refers to encrypting the data stored on "endpoints," such as laptops, phones, and tablets. Encryption is the process of transferring normal words and numbers, called plain text, into an unreadable form of letters, numbers, and symbols, called ciphertext, which cannot be easily read without the key from authorized people.

The state utilizes two different software pieces to handle encrypted drives. The first is Wave, a hardware-based encryption, and the other is Bitlocker, a software-based encryption. Wave encrypts the whole hard drive and is only able to be decrypted by a user entering in a password to get access. After the password is entered correctly, it will boot into the operating system and allow them to work. To use this kind of encryption, you must have a self-encrypted drive (SED) that will allow Wave to manage the device. Bitlocker is enabled within the operating system. Users will only have to enter a key if an unauthorized party tries to access the hard drive while it’s powered off. Because it’s based on the operating system, if a hard drive is wiped, Bitlocker Encryption will also be wiped off.

Wave Systems Update (3/16/16)

Wave Systems has declared bankruptcy; therefore, ITD is in the process of selecting and implementing an alternative solution for agencies that currently utilize Wave. This page will be updated once a new solution is available. Contact the Service Desk for more information.

Benefits:

Data Protection – Even if a device is lost or stolen, a hacker would need to break an encryption key in addition to a password to get into the device and access the data. Because the encryption key is usually decoded during boot-up, your data will still be safe even if the hard drive is removed from a device and plugged into an external reader.

Prevents Boot Modifications – If someone is trying to get access to the data stored on this device by booting into a USB or CD drive, they will not be able to get that data. This is because the drive is locked when trying to boot from another device until it is authorized.